CVE-2023-49911: CWE-121: Stack-based Buffer Overflow in Tp-Link AC1350 Wireless MU-MIMO Gigabit Access Point (EAP225 V3)
A stack-based buffer overflow vulnerability exists in the web interface Radio Scheduling functionality of Tp-Link AC1350 Wireless MU-MIMO Gigabit Access Point (EAP225 V3) v5.1.0 Build 20220926. A specially crafted series of HTTP requests can lead to remote code execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.This vulnerability refers specifically to the overflow that occurs via the `band` parameter at offset `0x422420` of the `httpd` binary shipped with v5.0.4 Build 20220216 of the EAP115.
AI Analysis
Technical Summary
CVE-2023-49911 is a stack-based buffer overflow vulnerability classified under CWE-121, found in the Radio Scheduling functionality of the web interface on the Tp-Link AC1350 Wireless MU-MIMO Gigabit Access Point (EAP225 V3) firmware version 5.1.0 Build 20220926. The vulnerability arises due to improper bounds checking on the 'band' parameter within the httpd binary, allowing an attacker to overflow the stack. Exploitation requires the attacker to be authenticated to the device's web interface, after which they can send a series of specially crafted HTTP requests to trigger the overflow. Successful exploitation can lead to remote code execution with the privileges of the httpd process, potentially allowing full control over the device. This compromises the confidentiality, integrity, and availability of the access point, enabling attackers to manipulate network traffic, disrupt wireless services, or pivot into internal networks. The vulnerability is present in a widely deployed firmware version and affects devices commonly used in enterprise and SMB environments. Although no public exploits have been reported, the high CVSS score (7.2) reflects the serious risk posed by this flaw. The vulnerability is related to a similar overflow in the EAP115 device's httpd binary, indicating a possible pattern in Tp-Link's firmware. The attack vector is network-based with no user interaction required, but authentication is mandatory, which somewhat limits exploitation scope. The vulnerability was published in April 2024 and remains unpatched as no vendor patch links are currently available.
Potential Impact
For European organizations, this vulnerability poses a significant risk to network infrastructure security, especially for those relying on Tp-Link AC1350 EAP225 V3 access points for wireless connectivity. Exploitation could lead to unauthorized remote code execution, enabling attackers to take control of the device, intercept or manipulate network traffic, and disrupt wireless services. This could impact business operations, data confidentiality, and network availability. Critical sectors such as finance, healthcare, government, and manufacturing that depend on reliable and secure wireless access are particularly vulnerable. The requirement for authentication reduces the risk of external attackers without credentials but insider threats or compromised credentials could facilitate exploitation. Additionally, compromised access points could serve as footholds for lateral movement within corporate networks, increasing the overall attack surface. The lack of known exploits in the wild currently reduces immediate risk but the vulnerability's high severity and public disclosure increase the likelihood of future exploitation attempts. Organizations with remote management enabled on these devices face higher exposure. Given the widespread use of Tp-Link devices in European SMBs and enterprises, the potential impact is broad and could affect network security posture significantly.
Mitigation Recommendations
1. Immediately restrict access to the management interface of affected Tp-Link AC1350 EAP225 V3 devices to trusted internal networks or VPNs only, blocking external internet access. 2. Enforce strong authentication mechanisms and change default or weak credentials to reduce risk of unauthorized access. 3. Monitor network traffic for unusual HTTP requests targeting the Radio Scheduling functionality or anomalous behavior from access points. 4. Disable the Radio Scheduling feature if not required to reduce attack surface. 5. Implement network segmentation to isolate wireless access points from critical internal systems. 6. Regularly audit and update device firmware; apply vendor patches promptly once released. 7. Employ intrusion detection/prevention systems (IDS/IPS) tuned to detect exploitation attempts targeting this vulnerability. 8. Maintain strict logging and alerting on access point management activities to detect potential compromise early. 9. Educate administrators on the risks of this vulnerability and enforce least privilege principles for device management. 10. Consider alternative hardware or firmware solutions if timely patching is not feasible.
Affected Countries
Germany, France, United Kingdom, Italy, Spain, Netherlands, Poland, Belgium, Sweden, Austria
CVE-2023-49911: CWE-121: Stack-based Buffer Overflow in Tp-Link AC1350 Wireless MU-MIMO Gigabit Access Point (EAP225 V3)
Description
A stack-based buffer overflow vulnerability exists in the web interface Radio Scheduling functionality of Tp-Link AC1350 Wireless MU-MIMO Gigabit Access Point (EAP225 V3) v5.1.0 Build 20220926. A specially crafted series of HTTP requests can lead to remote code execution. An attacker can make an authenticated HTTP request to trigger this vulnerability.This vulnerability refers specifically to the overflow that occurs via the `band` parameter at offset `0x422420` of the `httpd` binary shipped with v5.0.4 Build 20220216 of the EAP115.
AI-Powered Analysis
Technical Analysis
CVE-2023-49911 is a stack-based buffer overflow vulnerability classified under CWE-121, found in the Radio Scheduling functionality of the web interface on the Tp-Link AC1350 Wireless MU-MIMO Gigabit Access Point (EAP225 V3) firmware version 5.1.0 Build 20220926. The vulnerability arises due to improper bounds checking on the 'band' parameter within the httpd binary, allowing an attacker to overflow the stack. Exploitation requires the attacker to be authenticated to the device's web interface, after which they can send a series of specially crafted HTTP requests to trigger the overflow. Successful exploitation can lead to remote code execution with the privileges of the httpd process, potentially allowing full control over the device. This compromises the confidentiality, integrity, and availability of the access point, enabling attackers to manipulate network traffic, disrupt wireless services, or pivot into internal networks. The vulnerability is present in a widely deployed firmware version and affects devices commonly used in enterprise and SMB environments. Although no public exploits have been reported, the high CVSS score (7.2) reflects the serious risk posed by this flaw. The vulnerability is related to a similar overflow in the EAP115 device's httpd binary, indicating a possible pattern in Tp-Link's firmware. The attack vector is network-based with no user interaction required, but authentication is mandatory, which somewhat limits exploitation scope. The vulnerability was published in April 2024 and remains unpatched as no vendor patch links are currently available.
Potential Impact
For European organizations, this vulnerability poses a significant risk to network infrastructure security, especially for those relying on Tp-Link AC1350 EAP225 V3 access points for wireless connectivity. Exploitation could lead to unauthorized remote code execution, enabling attackers to take control of the device, intercept or manipulate network traffic, and disrupt wireless services. This could impact business operations, data confidentiality, and network availability. Critical sectors such as finance, healthcare, government, and manufacturing that depend on reliable and secure wireless access are particularly vulnerable. The requirement for authentication reduces the risk of external attackers without credentials but insider threats or compromised credentials could facilitate exploitation. Additionally, compromised access points could serve as footholds for lateral movement within corporate networks, increasing the overall attack surface. The lack of known exploits in the wild currently reduces immediate risk but the vulnerability's high severity and public disclosure increase the likelihood of future exploitation attempts. Organizations with remote management enabled on these devices face higher exposure. Given the widespread use of Tp-Link devices in European SMBs and enterprises, the potential impact is broad and could affect network security posture significantly.
Mitigation Recommendations
1. Immediately restrict access to the management interface of affected Tp-Link AC1350 EAP225 V3 devices to trusted internal networks or VPNs only, blocking external internet access. 2. Enforce strong authentication mechanisms and change default or weak credentials to reduce risk of unauthorized access. 3. Monitor network traffic for unusual HTTP requests targeting the Radio Scheduling functionality or anomalous behavior from access points. 4. Disable the Radio Scheduling feature if not required to reduce attack surface. 5. Implement network segmentation to isolate wireless access points from critical internal systems. 6. Regularly audit and update device firmware; apply vendor patches promptly once released. 7. Employ intrusion detection/prevention systems (IDS/IPS) tuned to detect exploitation attempts targeting this vulnerability. 8. Maintain strict logging and alerting on access point management activities to detect potential compromise early. 9. Educate administrators on the risks of this vulnerability and enforce least privilege principles for device management. 10. Consider alternative hardware or firmware solutions if timely patching is not feasible.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- talos
- Date Reserved
- 2023-12-01T22:10:32.247Z
- Cvss Version
- 3.1
- State
- PUBLISHED
Threat ID: 690a473c6d939959c8021c5a
Added to database: 11/4/2025, 6:34:36 PM
Last enriched: 11/4/2025, 7:11:41 PM
Last updated: 11/5/2025, 3:25:26 PM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-64459: CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') in djangoproject Django
HighCVE-2025-64458: CWE-407: Inefficient Algorithmic Complexity in djangoproject Django
HighCVE-2025-52602: CWE-359: Exposure of Private Personal Information to an Unauthorized Actor in HCL Software BigFix Query
MediumCVE-2025-3125: CWE-434 Unrestricted Upload of File with Dangerous Type in WSO2 WSO2 Identity Server
MediumCVE-2025-47151: CWE-843: Access of Resource Using Incompatible Type ('Type Confusion') in Entr'ouvert Lasso
CriticalActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.